Re: ADFS June 2006 Step-by-step guide
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 1 Aug 2006 17:03:41 -0500
Under ADFS, the app (site or virtual directory) needs to be set to anonymous
auth. The ADFS web service extension actually "intercepts" the request and
creates a Windows security token based on the claims in the FS token for IIS
to use before your code actually gets to execute against the request. The
whole "anonymous" thing in IIS takes a little getting used to, but that's
the way a lot of other SSO products like this actually work.
The contents of the windows token you'll get depends entirely on the claims
supplied to the app from ADFS and the type of user mappings you are allowing
in your trust policy. If you are allowing only user to user mapping, then
the claim must contain a UPN claim that matches the UPN of a user in your
forest. If you just allowing groups, then the user must have at least one
resource FS claim with a resource group associated with it their federation
token. There are also the hybrid settings as well.
Typically, I use user-to-user for accounts in the resource FS and use
groups-only mapping for users from foreign account partners.
From what it sounds like though, it doesn't seem like ADFS was working atall. If the authenticated user from the test page isn't an ADFS user, then
something is weird indeed. For a user from a foreign federation account
partner, it usually looks like:
urn:federation:foreignpartner\someuser@upndomain
I'm not sure what happens if you don't supply a UPN claim though. I haven't
tried that.
Make sure you've got all the logging going and that you've got all the
audits going as well. Enabling Object auditing (success and failure) in the
local security policy will allow the ADFS Web Extension to tell you what it
is doing for federation token authentication in the Security event log.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Noremac" <Noremac@xxxxxxxxxxxxxxxxx> wrote in message
news:3ECF25E2-2EC2-4F9D-B03C-3342E24773CA@xxxxxxxxxxxxxxxx
Hi Joe,
I am sure I messed something up from my conversion of the guide. That is
why
I was looking for Nick's non-Sharepoint sample.
I am trying to do it through the file system as this accurately represents
old non-.NET web apps we will need to protect.
When I run your sample code from my federated partner, the Windows
Identity
is NT Authority. There is no Identity and no groups. When I call the same
page right from the resource web server, I get the Windows Identity of NT
Authority and the Identity of the logged in person and its groups. So this
told me I was coming in anonymous. I checked my IIS settings and sure
enough,
anon was on. So I turned it off and turned on Windows Authentication. Now
it
will not allow me to login at all from either the resource web server or
partner client.
"Joe Kaplan (MVP - ADSI)" wrote:
Give me a few hours and I'll stick it on my blog (www.joekaplan.net).
In your token app, how are you trying to restrict access? Are you using
some sort of .NET role-based mechanism like the UrlAuthorizationModule
(i.e.
the <allow> and <deny> tags in web.config) or are you trying to use file
system ACLs or what?
In any event, the first step is knowing what groups are in you token and
my
page can help with that, so hopefully it will give you the clue you need.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Noremac" <Noremac@xxxxxxxxxxxxxxxxx> wrote in message
news:40DDB753-C4AA-41FD-B1CC-70A390D686BF@xxxxxxxxxxxxxxxx
Hi Joe,
I think that would be very helpful. I have a simple web page too that
spits
out Windows Identity principal so I'll take anything that I can get my
hands
on to try and trouble shoot this.
I agree it was simple to setup the ADFS'd website. But I have something
wacky when anyone on the "account" domain can get to the site (without
anyone
belonging to the "account" resource group).
Thanks,
Noremac
"Joe Kaplan (MVP - ADSI)" wrote:
Do you want my test page that I use? Actually creating the
non-SharePoint
token-based app in IIS is pretty trivial. You just create a web site
and
configure ADFS on it in the IIS MMC.
My test page just spits out the user name and groups of the
authenticated
user. It isn't much to look at, but it is helpful for debugging,
since
that's the stuff you need to know. I'll put it up on my blog or
something
if you are interested.
Also, enabling logging for token-based apps is sometimes helpful. The
troubleshooting section of the operations section of the ADFS TechNet
docs
explains all the registry flipping you have to do to turn it on.
The other important thing is whether you are accessing the token site
from
an account partner or the resource partner's own account store and how
you
are doing the token mapping (user-to-user or group-based using claims
and
resource groups).
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Noremac" <Noremac@xxxxxxxxxxxxxxxxx> wrote in message
news:B1305559-AB09-493C-9C42-C4E08B48A80F@xxxxxxxxxxxxxxxx
Hi Nick,
I've been on holidays and I just got your post.
I would definately like an existing sample on a non-portal token
app.
I am hoping my issue relates to configuration that your instructions
on
the
Windows NT token-based app will help me find.
Thanks!
"Nick Pierson [MS]" wrote:
Noremac,
Susieber alerted me to your post. I'm the author of the ADFS
Step-by-Step
Guide.
Unfortunately, this guide has never been tested at Microsoft using
a
VM
environment. At some point I would really like to try this myself
and
then
update the guide accordingly. I'm in the process of writing the
deployment
guide so I'm not exactly sure when I will be able to get to this.
I can tell you that this step-by-step guide has been thoroughly
tested
using
4 computers, and that in this situation it does result in setting
up a
successful ADFS test lab environment.
Since I have not personally set up the step-by-step guide using
VMs, I
would
recommend that you acquire 4 computers and then follow the
step-by-step
guide
from start to finish (the appendixes are not required to get a
functional
demo working). Make sure to follow the IP addressing scheme and
other
naming
schemes to the letter. If you don't want to go through it again, I
understand.
Also, if you are interested in setting up a non-SharePoint app for
your
Windows NT token-based application, let me know. I can send you
some
instructions for setting up a very simple token-based application
that
has
been tested for use with our step-by-step guide.
Thanks,
Nick Pierson
Technical Writer - ADFS
Microsoft
http://blogs.technet.com/adfs_documentation/default.aspx
****This posting is provided "AS IS" with no warranties, and
confers
no
rights.****
.
- Follow-Ups:
- Re: ADFS June 2006 Step-by-step guide
- From: Noremac
- Re: ADFS June 2006 Step-by-step guide
- References:
- Re: ADFS June 2006 Step-by-step guide
- From: Joe Kaplan \(MVP - ADSI\)
- Re: ADFS June 2006 Step-by-step guide
- From: Noremac
- Re: ADFS June 2006 Step-by-step guide
- From: Joe Kaplan \(MVP - ADSI\)
- Re: ADFS June 2006 Step-by-step guide
- From: Noremac
- Re: ADFS June 2006 Step-by-step guide
- Prev by Date: Re: Enforce Attribute Uniqueness in Active Directory?
- Next by Date: Re: Oh.... I'm just wondering who's seen this stumper...
- Previous by thread: Re: ADFS June 2006 Step-by-step guide
- Next by thread: Re: ADFS June 2006 Step-by-step guide
- Index(es):
Relevant Pages
|
